Accessing VIP addresses from LAN
-
Hello I’m having an issue with VIPs that I can’t seem to figure out, I'm new with pfSense but have experience with other routers.
My ISP has provided me with a /29 that I can use. For the sake of argument my block of Public IPs from them is 999.0.0.0/29 or (obviously this is just for illustration)
From that block my WAN interface is set to 999.0.0.1.
I also want to assign services on my LAN to additional IPs so three separate VIPs:
- Type: IP Alias
- Interface WAN
- IP Addresses:
- VIP#1: 999.0.0.2/32
- VIP#2: 999.0.0.3/32
- VIP#3: 999.0.0.4/32
From there I made a I made a NAT Port forward for one of the VIPs:
- Interface: WAN
- Protocol: TCP
- Destination: VIP#1:80
- Target 10.0.0.1:80 (my local service on my LAN)
This works great, from the outside and connect to my 10.0.0.1:80 service via 999.0.0.2 as expected.
The issue is when I try to connect to the 999.0.0.2 IP from my LAN, I normally get no connection, but sometimes I get a rebind warning.
I've tried a number of tests with LAN rules and also Outbound rules in Hybrid mode, but each time I'm unable to connect to the server.
The reason this all came about is because I have a Edge Switch in the location that is trying to connect to a UNMS server that is hanging off of my VIP, I cant use the local ip since they encode a hash in the URI for the domain, and really I would like to move equipment from one LAN to another without having to reconfigure it each time.
How can I get a LAN resource to access a public IP that was configured as a VIP?
Correction, I am able to just supply the device with an ip to point to and it does work, but it's kind of a pain since removing that device from the lan means it's no longer able to reach the controller.
-
Once I was able to properly google for things I already know I didn't know I found this.
https://forum.netgate.com/topic/35849/accessing-wan-s-public-ip-from-the-lan-not-working-please-help/6
Split DNS worked like a charm for me!
Might need to enable reflection in the future but for now it the DNS method works fine.